| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Reported by Katherine <luigi30 at gmail dot com> on tech@
|
|
|
|
|
|
|
|
This is effectively a no-op, since most of the code clamps to the maximum
version supported by the TLS method (which are still at TLSv1.2).
ok beck@ bluhm@ tb@
|
|
ok beck@ bluhm@ tb@
|
|
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the
OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag.
ok beck@ bluhm@ tb@
|
|
|
|
ok beck jsing
|
|
from which a a BIGNUM is chosen uniformly at random.
ok beck jsing
|
|
freeing and indent nearby labels.
ok beck jsing
|
|
takes care of this internally.
ok beck jsing
|
|
RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.
ok beck@ tb@
|
|
by moving the needs/build/parse functions into their own struct.
ok beck@ tb@
|
|
Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50
by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri.
ok beck jsing
commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb
Author: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Date: Sat Jun 16 17:07:40 2018 +0300
Implement coordinate blinding for EC_POINT
This commit implements coordinate blinding, i.e., it randomizes the
representative of an elliptic curve point in its equivalence class, for
prime curves implemented through EC_GFp_simple_method,
EC_GFp_mont_method, and EC_GFp_nist_method.
This commit is derived from the patch
https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley.
Coordinate blinding is a generally useful side-channel countermeasure
and is (mostly) free. The function itself takes a few field
multiplicationss, but is usually only necessary at the beginning of a
scalar multiplication (as implemented in the patch). When used this way,
it makes the values that variables take (i.e., field elements in an
algorithm state) unpredictable.
For instance, this mitigates chosen EC point side-channel attacks for
settings such as ECDH and EC private key decryption, for the
aforementioned curves.
For EC_METHODs using different coordinate representations this commit
does nothing, but the corresponding coordinate blinding function can be
easily added in the future to extend these changes to such curves.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6526)
|
|
|
|
The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.
ok bluhm@ tb@
|
|
Discussed with tb@
|
|
ok bluhm@ tb@
|
|
features (and possibly never will).
|
|
currently exist in OpenSSL - comment out that ones that we do not already
define. Some OPENSSL_NO_* flags that we define have been removed from
OpenSSL (and code that depended on these to know when features are not
available now think that the features have been enabled...). We keep these
defined but in their own separate group.
ok bluhm@ tb@
|
|
|
|
|
|
|
|
to uncompressed rather than compressed.
From Jacqueline Jolicoeur
|
|
handy if you type the path wrong or don't have permission...
ok deraadt@
|
|
and changes to struct visibility/sizes (libssl).
|
|
In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.
ok tb@
|
|
|
|
libcrypto (the "new" stuff replaced this back around 2000 or so...).
ok tb@
|
|
{CMS,KRB5,SRP} were removed.
|
|
compiler warning by Pavel Kraynyukhov. A similar fix was made in
OpenSSL commit 369e93398b68b8a328e6c1d766222b.
ok inoguchi
|
|
length checks here.
|
|
for wrapping and, accordingly, three 64 bit blocks for unwrapping.
That is: we need at least 16 bytes for wrapping and 24 bytes for
unwrapping. This also matches the lower bounds that OpenSSL have
in their CRYPTO_128_{un,}wrap() functions.
In fact, if we pass an input with 'inlen < 8' to AES_unwrap_key(),
this results in a segfault since then inlen -= 8 underflows.
Found while playing with the Wycheproof keywrap test vectors.
ok bcook
|
|
against libcrypto. Currently contains caller-side length checks that
should really be done in the library. This will be fixed after an
upcoming commit to libcrypto.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EC_KEY_set_public_key_affine_coordinates() and EC_KEY_get0_public_key()
than using EC_POINT_set_affine_coordinates_GFp() directly.
|
|
|
|
|
|
|
|
|
|
|
|
|
